Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-33448
Publication date:
30/04/2026
CVE-2026-33448 is a format string vulnerability in the logging subsystem<br /> of Secure Access client for MacOS prior to 14.50. Attackers with <br /> control of a modified server can force the client to dump the contents <br /> of a small portion of memory to the log files potentially revealing <br /> secrets.
Severity CVSS v4.0: MEDIUM
Last modification:
05/05/2026

CVE-2025-46115
Publication date:
30/04/2026
An issue in open5gs v.2.7.3 allows a remote attacker to cause a denial of service via a crafted PDU Session Modification Request
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2026

CVE-2025-56568
Publication date:
30/04/2026
Assertion failure vulnerability in the PCO (Protocol Configuration Options) parser in the SMF (Session Management Function) component of Open5GS before v2.7.5 allows remote attackers to cause denial of service via specially crafted NGAP messages containing malformed length fields in protocol configuration data.
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2026

CVE-2026-33446
Publication date:
30/04/2026
CVE-2026-33446 is a buffer overflow in the authentication sub-system of <br /> the Secure Access client prior to 14.50. Attackers with control of a <br /> modified server can send a special packet that can overwrite a small <br /> portion of memory conceivably leading to memory corruption or a denial <br /> of service.
Severity CVSS v4.0: LOW
Last modification:
05/05/2026

CVE-2026-33447
Publication date:
30/04/2026
CVE-2026-33447 is a buffer overflow in a message parsing function of the<br /> Secure Access client prior to 14.50. Attackers with control of a <br /> modified server can send a special packet that can overwrite a small <br /> portion of memory conceivably leading to memory corruption or denial of <br /> service.
Severity CVSS v4.0: LOW
Last modification:
05/05/2026

CVE-2026-40601
Publication date:
30/04/2026
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chart_id/query without authentication. The endpoint only checks team.allowReportRefresh and does not verify that the target chart belongs to a public report, that the project is public, or that sharing policy allows the operation. An unauthenticated attacker who knows a chart identifier can trigger a data refresh and retrieve the current data of private charts. This issue has been patched in version 5.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2026

CVE-2026-40603
Publication date:
30/04/2026
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes a legacy dashboard route that returns a project&amp;#39;s report data to any authenticated member of the same team, even when that user does not have access to the specific project. The route bypasses project-level authorization and returns the raw project object. As a result, a low-privileged same-team user can read another project&amp;#39;s dashboard data and recover the project&amp;#39;s stored report password from the response. This issue has been patched in version 5.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2026

CVE-2026-40904
Publication date:
30/04/2026
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes multiple dataset and dataRequest endpoints that authorize low-privileged project members at the team level instead of binding the requested dataset_id, dataRequest id, and connection_id to the caller&amp;#39;s allowed projects. An authenticated attacker who only has access to one project inside a team can read, execute, create, update, and delete datasets and data requests that belong to other projects in the same team. The issue is exploitable remotely with ordinary project-level credentials and leads to cross-project data disclosure and unauthorized use of victim-side database or API connections. This issue has been patched in version 5.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2026

CVE-2026-7461
Publication date:
30/04/2026
Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on Windows before version 1.103.0 might allow a remote authenticated threat actor to execute shell commands with SYSTEM privileges on the underlying host via a specially crafted username field in an ECS task definition. This issue requires permissions to register ECS task definitions or write to the Secrets Manager or SSM Parameter Store credentials used by the FSx volume configuration.<br /> <br /> To remediate this issue, users should upgrade to version 1.103.0.
Severity CVSS v4.0: HIGH
Last modification:
05/05/2026

CVE-2026-35514
Publication date:
30/04/2026
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoint directly to create a fully active account and receive a valid JWT — even when the instance has existing users and signupRestricted is enabled. This bypass is distinct from the normal registration endpoint (POST /user) which enforces signupRestricted and sets active: false pending verification. This issue has been patched in version 5.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2026

CVE-2026-40595
Publication date:
30/04/2026
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes public chart retrieval and export routes that only verify project-level public access and, for exports, a team-level export toggle. The routes do not verify whether the target chart is actually allowed on the public report or whether the governing SharePolicy permits public access. An unauthenticated attacker who knows a chart identifier in a public project can read or export chart data for charts that were intentionally hidden from the report. This issue has been patched in version 5.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2026

CVE-2026-40600
Publication date:
30/04/2026
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different project. The affected routes authorize the caller against the project in the URL path, but they never verify that policy_id belongs to that project. This permits cross-project modification of dashboard sharing rules, including visibility, password requirements, allowed parameters, and expiration settings. This issue has been patched in version 5.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2026
Subscribe to Vulnerabilities